20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25-08-2024 19:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
Size

47KB
MD5

4aa940de38e334f3830dcec55db92f46
SHA1

57305b8da79ccd2dbc34d337bf7950b6f27f0380
SHA256

20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8
SHA512

837b22b420b477c1931b8be882f86e9e0db861d793e6e2345d553cc1a4f9d13166eda8ba73fc90c0b1e16c13ed8538905829c7867ceebd453d6cda618294142d
SSDEEP

768:/7BlpQpARFbhsYcUYcwaVl2di1xzaVl2di1xDw9:/7ZQpApsYcUYcwaVowfaVowM

Score

9^/10

discovery ransomware

Malware Config

Signatures

Renames multiple (5172) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\Unlock.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.X509Certificates.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\VisioProDemoR_BypassTrial180-ppd.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\QuickStyles\linessimple.dotx.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\HomeStudent2019R_Grace-ppd.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365SmallBusPremR_Subscription3-pl.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Professional2019R_OEM_Perp-ul-phn.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectStdVL_MAK-ul-oob.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\de-DE\tipresx.dll.mui.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Threading.ThreadPool.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\de\PresentationFramework.resources.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\7-Zip\Lang\vi.txt.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\ja\System.Windows.Forms.resources.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pt-BR\UIAutomationProvider.resources.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\tr\System.Windows.Controls.Ribbon.resources.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\resources.jar.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\asm.md.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365EduCloudEDUR_SubTrial-ul-oob.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProXC2RVL_MAKC2R-ppd.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\netstandard.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\cs\System.Windows.Input.Manipulations.resources.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\zh-Hans\System.Xaml.resources.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial3-ppd.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProjectProR_Retail2-pl.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\VCRUNTIME140_APP.DLL.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.ValueTuple.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\PresentationFramework.Aero2.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\O365ProPlusR_SubTrial1-ppd.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\pt-BR\ReachFramework.resources.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jre-1.8\bin\javafx_iio.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019R_OEM_Perp-pl.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\ClientOSub_eula.txt.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\LogoImages\FirstRunLogoSmall.contrast-white_scale-80.png.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\fr\UIAutomationClientSideProviders.resources.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\lib\deploy\splash_11-lic.gif.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Client\msvcr120.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\AccessVL_KMS_Client-ul-oob.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Outlook2019VL_MAK_AE-ul-oob.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\Publisher2019R_OEM_Perp-ul-phn.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\sdxs\FA000000027\assets\Icons\[email protected]	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\System.IO.FileSystem.DriveInfo.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javacpl.exe.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jre-1.8\bin\JavaAccessBridge-64.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\zh-CN.pak.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\PublisherR_OEM_Perp-ppd.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Office16\1033\XLLEX.DLL.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\System\wab32.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\zh-Hant\PresentationCore.resources.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Locales\ta.pak.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jre-1.8\bin\ktab.exe.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\OutlookR_Trial-ul-oob.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\BloodPressureTracker.xltx.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.Security.Cryptography.Encoding.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\ru\System.Xaml.resources.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jdk-1.8\legal\jdk\xalan.md.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Licenses16\ProPlus2019R_PrepidBypass-ppd.xrm-ms.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Microsoft Office\root\Templates\1033\ApothecaryResume.dotx.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\ServiceWatcherSchedule.xml.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\6.0.27\System.Printing.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\Java\jre-1.8\lib\amd64\jvm.cfg.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\7.0.16\pl\ReachFramework.resources.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
File created	C:\Program Files\dotnet\shared\Microsoft.WindowsDesktop.App\8.0.2\ru\System.Windows.Forms.resources.dll.tmp	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe

C:\Users\Admin\AppData\Local\Temp\20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe
"C:\Users\Admin\AppData\Local\Temp\20fd99199312e1b551a54649c3bb7803e4f9213d98b492003f5a1a7f80c735e8.exe"
1⤵
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
PID:4264

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\$Recycle.Bin\S-1-5-21-2718105630-359604950-2820636825-1000\desktop.ini.tmp

Filesize
47KB

MD5
a22a53774f049fd37b31b00bd55aede0

SHA1
8442d883b6e8d6b4994d7121c6e6d95dff7a1f00

SHA256
1adf929bb3dba1ac7a586cd1d8b7398c9b5a6ed3ca62a4f1fedc5930b1f69d46

SHA512
c4aeafcbdcc10653e4ec6ea53279f12380ce723bef8aa0c9520feadf7b5d950349fe3c3c6fa3b87c84ad76515e0e0c04a41f13d327089944c3087efcafacb99a

Download Submit
C:\Program Files\7-Zip\7-zip.dll.tmp

Filesize
146KB

MD5
4e59457849665541ba9dc6d7a06b2d73

SHA1
46a1324f9179f695af875ba597ecafd87f998cf6

SHA256
1f66b2ea3af65c6dba9d519d00bc9ec2de38403aeadc6de7c9dc678c7f2961fb

SHA512
d59a7bc29f7c535e64db74be5fb23b87dbd5ee4ee53df33da7714d81562da727482fb8cd92776e6ad08386ba01708aec55044abadbaf0995b438ee7b7a7f4409

Download Submit
memory/4264-0-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download
memory/4264-947-0x0000000000400000-0x0000000000408000-memory.dmp

Filesize
32KB

Download